JP4861426B2 - Method and server for providing mobility key - Google Patents

Method and server for providing mobility key Download PDF

Info

Publication number
JP4861426B2
JP4861426B2 JP2008539397A JP2008539397A JP4861426B2 JP 4861426 B2 JP4861426 B2 JP 4861426B2 JP 2008539397 A JP2008539397 A JP 2008539397A JP 2008539397 A JP2008539397 A JP 2008539397A JP 4861426 B2 JP4861426 B2 JP 4861426B2
Authority
JP
Japan
Prior art keywords
authentication
proxy server
subscriber
key
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2008539397A
Other languages
Japanese (ja)
Other versions
JP2009515450A (en
Inventor
ギュンター クリスティアン
クレーゼルベルク ディルク
ファルク ライナー
Original Assignee
シーメンス アクチエンゲゼルシヤフトSiemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to DE102005052724 priority Critical
Priority to DE102005052724.8 priority
Priority to DE102006008745A priority patent/DE102006008745A1/en
Priority to DE102006008745.3 priority
Application filed by シーメンス アクチエンゲゼルシヤフトSiemens Aktiengesellschaft filed Critical シーメンス アクチエンゲゼルシヤフトSiemens Aktiengesellschaft
Priority to PCT/EP2006/067930 priority patent/WO2007051776A1/en
Publication of JP2009515450A publication Critical patent/JP2009515450A/en
Application granted granted Critical
Publication of JP4861426B2 publication Critical patent/JP4861426B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/04Key management, e.g. by generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0884Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/001Protecting confidentiality, e.g. by encryption or ciphering
    • H04W12/0017Protecting confidentiality, e.g. by encryption or ciphering of control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/005Context aware security
    • H04W12/00502Time aware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Abstract

After a radio link is established between a mobile subscriber terminal and an access network, the subscriber is authenticated by a proxy server of an intermediate network forwarding, from the access network to a home network of the subscriber, authentication message(s) containing a subscriber identification. If the subscriber is authenticated and the subscriber identification is already stored in the proxy server, the proxy server assigns a group-specific mobile key to the subscriber identification. When the home agent receives a registration request message originating from a subscriber terminal and containing a subscriber identification and transmits a key request message, containing the subscriber identification, for a mobile key to the proxy server, if the subscriber identification in the key request message matches a subscriber identification stored by the proxy server, a mobile key for cryptographic protection of mobile signalling messages is provided to the home agent by the proxy server.

Description

  The present invention relates to a method and a proxy server for providing a mobility key for encrypting a mobility signaling message related to a home agent of a mobile radio network, particularly an anonymous subscriber.

  The Internet using the TCP / IP protocol provides a platform for developing higher level protocols in the mobile field. Since Internet protocols are widespread, more users can be cultivated for mobile environments with corresponding protocol extensions. However, conventional Internet protocols are not originally conceived for mobile applications. In conventional Internet packet switching, packets are exchanged between fixed computers, the network addresses of these packets do not change, and these packets are not roamed between different sub-networks. In a wireless network equipped with a mobile computer, the mobile computer MS is often linked to various networks. DHCP (Dynamic Host Configuration Protocol) implements the dynamic assignment of IP addresses and other configuration parameters to computers in the network using corresponding servers. A computer linked to the network is automatically assigned a free IP address by the DHCP protocol. When DHCP is installed on a mobile computer, the computer must operate within a local network that supports configuration using the DHCP protocol. In the DHCP protocol, dynamic address setting is realized. That is, a free IP address is automatically assigned for a predetermined time. After this time has passed, a new request is made by the mobile computer, or an IP address can be assigned in another manner.

  With DHCP, a mobile computer can be linked to a network without manual configuration. It is only necessary to provide a DHCP server as the premise. The mobile computer can use a local network service, for example, a data file stored in the center. However, if the mobile computer itself provides the service, a potential service user cannot find the mobile computer. This is because the IP address of the mobile computer changes for each network to which the mobile computer is linked. The same thing occurs when the IP address changes during the establishment of the IP connection. This interrupts the connection. Therefore, in the case of mobile IP, an IP address held in another network is assigned to the mobile computer. In conventional IP network switching, it was necessary to adapt the IP address adjustment accordingly. However, it is almost impossible in the manual to always adapt the IP configuration and the routing configuration in the terminal device. In the conventional automatic configuration mechanism, an established connection is blocked when the IP address is changed. The MIP protocol (RFC2002, RFC2977, RFC3344, RFC3846, RFC3957, RFC3775, RFC3776, RFC4285) supports the mobility of mobile terminal devices. In the conventional IP protocol, when switching an IP subnetwork in order to correctly route a data packet addressed to a mobile terminal device, the mobile terminal device has to adapt its own IP address each time. In order to maintain an established TCP connection, the mobile terminal device must maintain its own IP address. This is because the connection is cut off due to the address change. The MIP protocol resolves this conflict by allowing a mobile terminal or mobile node (MN) to own two IP addresses. The MIP protocol realizes a transparent connection between two addresses, that is, a permanent home address and a temporary care-of-address. The care-of address is an IP address that can access the mobile terminal device at that time.

  The home agent is an agent of the mobile terminal device when the mobile terminal device does not exist in the original home network. The home agent is constantly notified of information about the current location of the mobile computer. The home agent is usually a component of a router in the home network of the mobile terminal device. When the mobile terminal device exists outside the home network, the home agent provides a function that allows the mobile terminal device to log in. In this case, the home agent transfers the data packet addressed to the mobile terminal to the current sub-network of the mobile terminal.

  A foreign agent exists in a subnetwork in which a mobile terminal device is moving. The foreign agent transfers the incoming data packet to the mobile terminal device or mobile computer. The foreign agent exists in a so-called foreign network (visited network). A foreign agent is also usually a component of a router. The foreign agent routes all office mobile data packets between the mobile terminal device and the home agent of the mobile terminal device. The foreign agent unpacks the IP data packet transmitted and tunneled from the home agent and transfers the data to the mobile terminal device.

  The home address of the mobile terminal device is an address that allows constant access to the mobile terminal device. The home address has the same address prefix as the home agent. The care-of address is an IP address used by the mobile terminal device in the foreign network.

  The home agent manages a so-called mobility binding table (MBT). The entries in this table are used to correlate the two addresses of the mobile terminal device, namely the home address and the care-of address, and reroute the data packet accordingly. The MBT table includes an entry relating to information about a home address, a care-of address, and a period (lifetime) during which this association is valid. FIG. 1 shows an example of a mobility binding table according to the prior art.

  The foreign agent (FA) has a visitor list or visitor list (VL), which contains information on the mobile terminal devices present in the foreign agent's IP network at that time. FIG. 2 shows an example of such a visitor list according to the prior art.

  In order to be able to link a mobile computer to a network, the mobile computer must first identify whether it is in a home network or an external network. Additionally, the mobile terminal device must identify which computer in the subnetwork is a home agent or a foreign agent. These pieces of information are obtained by so-called agent discovery.

  Subsequent registration allows the mobile terminal device to notify its home agent of its current location. For this purpose, the mobile computer or mobile terminal device transmits the current care-of address to the home agent. For registration, the mobile computer sends a registration request or registration request to the home agent. The home agent (HA) registers the care-of address in the list and responds with a registration replay or registration response. In this case, however, there are safety issues. In principle, each computer can send a registration request to the home agent, so that the home agent can easily recognize the computer as if it is moving in another network. That is, the external computer can receive all data packets of the mobile computer or mobile terminal device, and this is not recognized by the transmitter. To prevent this, a common secret key is used for the mobile computer and the home agent. When the mobile computer returns to its home network, the mobile computer is deregistered with the home agent. This is because the mobile computer can receive all data packets by itself. The mobile radio network must in particular have the following security characteristics:

  Access to information is allowed only to the desired communication partner. That is, undesired eavesdropper access to the transmitted data is not permitted. In other words, the mobile wireless network must have the characteristic of confidentiality. In addition, authenticity must be given. With authenticity, the communication partner can uniquely identify whether communication with the desired communication partner has actually been established, or whether an outsider refers to the communication partner. Authentication can be performed on a message or connection basis. If authentication is performed on a connection basis, the communication partner is identified only once at the start of the session. For the further course of the session, it is assumed that subsequent messages still originate from the corresponding transmitter. Even if the identification of the communication partner is confirmed, i.e. the communication partner is authenticated, the communication partner is not allowed access to all resources or all services over the network. There are cases where usage is not permitted. In this case, the corresponding authorization presupposes prior authentication of the communication partner.

  In mobile data networks, messages are transmitted over a relatively long leg over the air interface, so that potential attackers can easily access these messages. Therefore, a security viewpoint is very important in a mobile wireless data network. The actual means for increasing security in data networks is encryption technology. Encryption enables data to be transmitted via a communication path with low reliability, for example, an air interface, without an unauthorized third party being able to access the data. For encryption, data, that is, so-called plain text is converted into cipher text by an encryption algorithm. The encrypted text can be transmitted over a data transmission channel with low reliability and subsequently decrypted or decrypted.

  As a very promising radio access technology, WiMax (Worldwide Interoperability for Microwave Access) has been proposed as a new standard, which is used for IEEE 802.16 radio transmission. WiMax allows the transmitting station to cover an area up to 50 km at a data rate of 100 Mbit / sec.

  FIG. 3 shows a reference model for a WiMax wireless network. The mobile terminal device MS exists in an access network (ASN: Access Serving Network). The access network ASN is connected to a home network HCSN (Home Connectivity Service Network) via at least one visited network (VCSN) or an intermediate network. Different networks are connected to one another via an interface or reference point R. The home agent HA of the mobile station MS exists in the home network HCSN or the visited network VCSN.

  WiMax supports two implementation variations: mobile IP in which the mobile station itself implements the MIP client function, so-called client MIP (CMIP), and proxy MIP (PMIP) in which the MIP client function is implemented by the WiMax access network. For this purpose, the function provided in the ASN is called a proxy node (PMN) or PMIP client. Accordingly, the MIP can be used even by a mobile station that does not support the MIP by itself.

  FIG. 4 shows connection establishment in the proxy MIP according to the prior art when the home agent exists in the visited network.

  After a wireless connection between the mobile terminal device and the base station is established, access authentication is first performed. Authentication, authorization and accounting functions are performed by a so-called AAA server (AAA: Authentication Authorization and Accounting). An authentication message is exchanged between the mobile terminal device MS and the AAA server of the home network (HAAA), and the address and authentication key of the home agent are acquired by this authentication message. The authentication server in the home network has subscriber profile data. The AAA server receives an authentication request message including the subscriber identifier of the mobile terminal device. The AAA server generates an MSK key (MSK: Master Session Key) in order to protect the data transmission section between the mobile terminal device MS and the base station of the access network ASN after successful access authentication. This MSK key is transmitted from the AAA server of the home network to the access network ASN via the intermediate network CSN.

  After access authentication, as can be seen from FIG. 4, a DHCP proxy server is configured in the access network ASN. If the IP address and host configuration are already included in the AAA response message, all information is downloaded to the DHCP proxy server.

  After successful authentication and authorization, the mobile station or mobile terminal device MS sends a DHCP discovery message and IP address assignment is performed.

  When the access network ASN supports both PMIP and CMIP mobility, the foreign agent notifies the ASN handover function by transmitting the R3 mobility context message. This can be omitted in networks that only support PMIP. After the home address is read, this home address is transferred to the PMIP client.

  Subsequently, MIP registration is performed. At the time of registration, the home agent is notified of information regarding the current location of the mobile terminal device. For registration, the mobile computer sends a registration request containing the current care-of address to the home agent. The home agent registers the care-of address in a list managed by the home agent, and responds with a registration reply. In principle, each computer can send a registration request to the home agent, so that the home agent can easily recognize the computer as if it is moving in another network. To prevent this, both the mobile computer and the home agent use a common secret key, ie the MIP key. If the home agent (HA) does not know the MIP key, the home agent sets the MIP key and communicates with the home AAA server for this purpose.

  After the connection establishment shown in FIG. 4 is completed, the mobile terminal device receives the home address and is registered with the home agent.

  However, if the home AAA server does not supply the attribute or data expected by the WiMax protocol, the connection establishment shown in FIG. 4 is not realized. For example, if the home AAA server is a 3GPP server or other AAA server that does not support WiMax interworking, the home AAA server provides the data attributes required for MIP registration, especially the home address and encryption key. I can't. Therefore, the home agent HA does not receive the MIP key (MSK: Master Session Key) and rejects the subscriber.

  Accordingly, an object of the present invention is to provide a method for providing a mobility key for a mobile wireless network in which an authentication server of a home network does not support MIP registration.

  According to the invention, this problem is solved by a method having the features set forth in claim 1.

The present invention relates to a method for providing at least one mobility key for cryptographically protecting a mobility signaling message for a home agent, which method comprises the following steps:
A wireless connection is established between the mobile subscriber terminal and the access network, and an authentication proxy server of the intermediate network sends at least one authentication message including a subscriber identifier to authenticate the subscriber. If the subscriber identifier included in the authentication message is already stored in the authentication proxy server, and the authentication is successful, the home network authentication server assigns the group identifier to the subscriber identifier. A mobility key is associated;
A registration request message originating from the subscriber terminal device containing the subscriber identifier is received by the home agent;
A key request message relating to the mobility key is sent from the home agent to the authentication proxy server to which it belongs, including the subscriber identifier contained in the registration request message;
If the subscriber identifier included in the key request message matches one of the subscriber identifiers stored by the authentication proxy server, the mobility key is provided to the home agent by the authentication proxy server. .

  In an advantageous embodiment of the method according to the invention, the authentication proxy server generates a subscriber-specific mobility key upon successful authentication by the home network authentication server, and the subscriber identifier contained in the authentication message is If not already stored in the authentication proxy server, this mobility key is associated with the subscriber identifier.

  In an advantageous embodiment of the method according to the invention, the generated subscriber-specific mobility key is erased by the authentication proxy server after a predetermined short period of time.

  In an advantageous embodiment of the method according to the invention, the generated subscriber-specific mobility key is deleted by the authentication proxy server after provisioning this mobility key to the home agent.

  In an advantageous embodiment of the method according to the invention, the group-specific mobility key is erased by the authentication proxy server after a predetermined long period of time.

  In an advantageous embodiment of the method according to the invention, if the subscriber identifier included in the authentication message is already stored in the authentication proxy server, the authentication proxy server updates the time stamp belonging to the subscriber identifier. Then, a belonging flag indicating that the belonging mobility key is a group-specific mobility key is set.

  In an advantageous embodiment of the method according to the invention, the mobility key is randomly generated by the authentication proxy server.

  In an advantageous embodiment of the method according to the invention, the authentication server of the home network transmits the MSK key contained in the authentication message to the authentication client of the access network via the authentication proxy server upon successful authentication. To do.

  In an alternative embodiment of the method according to the invention, the mobility key is not generated randomly by the authentication proxy server but is derived by the authentication proxy server from the transmitted MSK key.

  In an advantageous embodiment of the method according to the invention, the mobility key forms part of the transmitted MSK key.

  In an alternative embodiment of the method according to the invention, the mobility key is identical to the transmitted MSK key.

  In an embodiment of the method according to the invention, the authentication message is transmitted according to a RADIUS data transmission protocol.

  In an alternative embodiment of the method according to the invention, the authentication message is transmitted according to a DIAMETER data transmission protocol.

  In an advantageous embodiment of the method according to the invention, the access network is formed by a WiMax access network ASN.

  In an advantageous embodiment of the method according to the invention, the intermediate network is formed by a WiMax intermediate network CSN.

  In a first embodiment of the method according to the invention, the home network is a 3GPP network.

  In an alternative embodiment of the method according to the invention, the home network is formed by a network that provides an AAA infrastructure for WLAN subscribers (WLAN network).

  In an advantageous embodiment of the method according to the invention, the subscriber identifier is formed by a network access identifier (NAI).

  In an advantageous embodiment of the method according to the invention, a mobility key is additionally provided to the PMIP client of the access network.

  In an advantageous embodiment of the method according to the invention, there are a plurality of intermediate networks between the access network and the home network.

  In a first embodiment of the method according to the invention, a home agent is present in the home network.

  In an alternative embodiment of the method according to the invention, a home agent is present in the intermediate network.

  In a first embodiment of the method according to the invention, an authentication proxy server is provided in the home network.

  In an alternative embodiment of the method according to the invention, an authentication proxy server is provided in one of the intermediate networks.

  Furthermore, the present invention provides an authentication proxy server that provides a mobility key to protect mobility signaling messages by encryption, which authentication proxy server is provided when a corresponding subscriber identifier is already stored in the authentication proxy server. Associates a group-specific mobility key with a subscriber identifier using an authentication message containing the subscriber identifier after successful authentication of the subscriber.

In the following, advantageous embodiments of the method according to the invention and the authentication proxy server according to the invention will be described with reference to the accompanying drawings in order to explain the essential features of the invention. here,
FIG. 1 shows an example of a mobility binding table according to the prior art.
FIG. 2 shows an example of a visitor list according to the prior art.
FIG. 3 shows a reference network structure for a WiMax wireless network.
FIG. 4 shows connection establishment in a conventional WiMax network according to the prior art.
FIG. 5 shows a network structure according to an advantageous embodiment of the method according to the invention.
FIG. 6 shows a flow chart for explaining the function of the method according to the invention.
FIG. 7 shows another flow chart for explaining the function of the method according to the invention.
FIG. 8 shows a chart for explaining the function of the method according to the invention.
FIG. 9 shows an example of a table stored in an advantageous embodiment of an authentication proxy server according to the present invention.

  As can be seen from FIG. 5, the mobile terminal device 1 is connected to the base station 3 of the access network 4 via the wireless interface 2. The mobile terminal device 1 is any mobile terminal device, such as a laptop, PDA, mobile phone or other mobile terminal device. A base station 3 of the access network 4 is connected to an access network gateway 6 via a data transmission line 5. The access gateway computer 6 preferably incorporates other functions, in particular a foreign agent 6A, a PMIP client 6B, an AAA client server 6C and a DHCP proxy server 6D. The foreign agent 6A is a router, and this router provides a routing service for the mobile terminal device 1. The data packet to the mobile terminal device 1 is tunneled and transmitted, and is unpacked by the foreign agent 6A.

  The gateway 6 of the access network 4 is connected to the computer 8 of the intermediate network 9 via the interface 7. The computer 8 includes a DHCP server 8A, a home agent 8B, and an AAA proxy server 8C. The home agent 8B is an agent of the mobile terminal device 1 when the mobile terminal device 1 does not exist in the original home network. The home agent 8B is always notified of information regarding the current location of the mobile computer. A data packet for the mobile terminal device 1 is first transmitted to the home agent, tunneled from the home agent, and transferred to the foreign agent 6A. On the contrary, the data packet transmitted from the mobile terminal device 1 can be directly transmitted to each communication partner. The data packet of the mobile terminal device 1 includes a home address as a sender address. The home address has the same prefix as the home agent 8B, that is, a network address and a subnetwork address. The data packet transmitted to the home address of the mobile terminal device 1 is received by the home agent 8B, tunneled and transmitted from the home agent 8B to the care-of address of the mobile terminal device 1, and finally at the end point of the tunnel, that is, the foreign language. Received by the agent 6A or the mobile terminal device itself.

  The computer 8 in the intermediate network is connected to the authentication server 11 in the home network 12 through another interface 10. The home network 12 is, for example, a 3GPP network for UMTS. In an alternative embodiment, the server 11 is a WLAN network authentication server. The authentication server 11 shown in FIG. 5 does not support MIP registration.

  According to the method of the present invention, when the AAA proxy server 8C of the computer 8 identifies that the AAA server 11 of the home network 12 does not support MIP (CMIP / PMIP), the mobility signaling message related to the home agent 8B is protected by encryption. A mobility key is provided. The AAA proxy server 8B identifies that CMIP / PMIP is not supported, for example, by not receiving the MIP attribute from the server 11 of the home network 12 based on the inquiry of the AAA proxy server. In order to protect the mobility signaling message by encryption, a common mobility key (MIP key) for the home agent 8B and the mobile terminal device 1 is required for the PMIP case, or the home agent 8B and the PMIP client for the PMIP case A common mobility key for 6B is required. If the home network 12 has WiMax interworking capability, the home agent 8B receives this MIP key from the AAA server of the home network 12. However, as shown in FIG. 5, if the AAA server 11 cannot provide the required MIP attributes for the corresponding query of the home agent 8B, the method according to the present invention is implemented. Since the 3GPP-AAA server 11 cannot interpret the query of the home agent 8B, as shown in FIG. 5, the 3GPP-AAA server 11 has a corresponding encryption key for protecting the mobility signaling message. Cannot be provided. In the method according to the invention, the authentication server 11 with the WiMax capability of the home network 12 remains unchanged and the mobility key is provided to the home agent 8B by the AAA proxy server 8C. After it is identified that the authentication server 11 of the home network 12 does not provide a mobility key, a so-called proxy home MIP function is activated and a local data set is generated by the authentication proxy server 8C for this AAA session. That is, according to the present invention, the function required for PMIP / CMIP is not provided by the authentication server 11 of the home network 12 but communication between the authentication server 11 of the 3GPP network and the gateway 6 of the access network 4. Provided by the AAA proxy server of the intermediate network 9 present in the path.

  FIG. 6 shows a flowchart for authenticating the mobile terminal device 1 in an embodiment of the method according to the invention.

  In step S1 after the start step, first, a wireless connection is established between the mobile terminal device 1 and the base station 3 of the access network 4. Subsequently, in step S2, an authentication message is transferred between the access network 4 and the home network 12 by the authentication proxy server 8C of the intermediate network 9. The authentication message includes a subscriber identifier for identifying each mobile terminal device 1. The subscriber identifier is, for example, a network access identifier NAI. Alternatively, the subscriber identifier is formed by the home address of the mobile terminal device 1, for example. The authentication message transferred from the AAA proxy server reaches the authentication server 11 of the home network 12. The authentication server 11 of the home network 12 authenticates the subscriber. If the authentication is successful, the authentication server 11 transmits a corresponding message to the access network 4 via the authentication proxy server 8C of the intermediate network 9. In step S3, the authentication proxy server 8C of the intermediate network 9 checks whether or not the authentication by the authentication server 11 of the home network 12 has been completed without any problem. The authentication proxy server 8C identifies this in, for example, a corresponding success notification of the authentication server 11. When the authentication proxy server 8C identifies that the authentication of the subscriber has been completed without any problem based on the message transmitted from the home network 12 to the access network 4, the authentication proxy server 8C in step S4 uses the subscriber included in the authentication message. It is checked whether the identifier is already stored in the authentication proxy server 8C.

  If the subscriber identifier has already been intermediately stored in the authentication proxy server 8C, the group-specific mobility key is associated with the subscriber identifier in step S5. Advantageously, the time stamp belonging to the subscriber identifier is updated, and a belonging flag indicating that the belonging mobility key is a group-specific mobility key is set. Therefore, the authentication proxy server provides a mobility key that is the same or the same type of subscriber identifier and is the same or unique to the group. Thereby, the use of an anonymous subscriber identifier or an anonymous network access identifier NAI (Network Access Identifier) is realized. If the subscriber identifier is not uniquely associated with a given subscriber, the subscriber identifier is confidential. Such a confidential subscriber identifier is, for example, “user@vodafone.com” as shown in the first row of the table shown in FIG. The group-specific mobility key provided for the confidentiality subscriber identifier is “12AF” in the example shown in FIG. The key type of the mobility key is specific to the group and is characterized via a corresponding flag or display symbol “group specific key”.

  If it is determined in step S4 that the subscriber identifier contained in the authentication message has not yet been stored in the authentication proxy server 8C, a subscriber-specific mobility key is generated in step S6 and the corresponding subscriber is selected. It is associated with the identifier. The corresponding key is characterized as subscriber-specific and the affiliated time stamp is updated. In the example shown in FIG. 9, when a subscriber identifier “glyn@isarpatent.com” is first generated, a subscriber-specific mobility key “14BC” is generated, and a subscriber-specific key “user specific” is generated. Characterized as “key”. In an advantageous embodiment, the subscriber-specific mobility key is transmitted by the authentication proxy server 8C from the transmitted MSK key, which is included in the authentication message transmitted to the authentication client 6C of the access network via the authentication proxy server 8C. Derived.

  In an advantageous embodiment of the method according to the invention, the group-specific mobility key associated in step S5 is randomly generated by the authentication proxy server 8C. In the example shown in FIG. 9, in the first embodiment, another group-specific mobility key that is randomly generated when the subscriber identifier “glyn@isarpatent.com” appears again is generated. Alternatively, in an alternative embodiment, when a new subscriber identifier appears, the flag “user specific key” is overwritten by the flag “group specific key”, so that an existing subscriber-specific mobility key is “14BC” is characterized as a group-specific key.

  The method according to the invention ensures that there are no conflicts or inconsistencies when two subscribers use the same subscriber identifier accidentally or deliberately.

  In an advantageous embodiment of the method according to the invention, the subscriber-specific mobility key generated in step S6 is erased by the authentication proxy server 8C using a time stamp after a predetermined short period of time, for example a few seconds.

  The deletion of the anonymous subscriber group-specific mobility key takes place after a substantially longer period of time, for example after several hours, or in the first place. It is necessary that multiple PMIP subscribers using the same anonymous subscriber identifier can log in simultaneously.

  In an alternative embodiment of the method according to the invention, the group-specific mobility key is not pre-generated randomly but is fixedly preconfigured.

  In the method according to the invention, all anonymous subscribers are assigned the same mobility key. The method according to the invention allows an anonymous subscriber identifier to use the WiMax network within the framework of login authentication. This realizes support for an anonymous subscriber identifier or anonymous NAI. Furthermore, the method according to the invention makes it possible to greatly simplify the complexity of managing safety relationships required for Mobile IP and PMIP. This significantly reduces dynamic memory requirements.

  As can be seen from FIG. 7, when the home agent 8B receives a registration request message at a later time after the start step, the home agent 8B transmits a corresponding key request message to the authentication proxy server 8C in step S8. The received registration request message includes the subscriber identifier of the mobile terminal device 1. The corresponding key request message generated on this basis to the authentication proxy server 8C of the home agent 8B likewise includes this subscriber identifier. In step S9, the authentication proxy server 8C checks whether the subscriber identifier included in the key request message matches one of the subscriber identifiers stored by the authentication proxy server in step S4. If they match, the authentication proxy server 8C provides a mobility key for protecting the mobility protection message by encryption in step S10. The authentication proxy server 8C transmits the provided mobility key to the home agent 8B. Advantageously, the mobility key is also transmitted to the authentication client server 6D of the intermediate network 4.

  In the first embodiment of the method according to the present invention, the mobility key provided in step S10 is randomly generated by the authentication proxy server 8C.

In an alternative embodiment, the mobility key (MIP key) is derived by the authentication proxy server 8C from the MSK (Master Session Key) key transferred from the authentication server 11 to the access network 4 by the authentication proxy server 8C. The MIP key can be derived from the MSK key according to an arbitrary key derivation function, such as a hash function. The hash function reduces data of an arbitrary size into a so-called fingerprint. An example of this type of hash function represents SHA-I. A maximum of 2 64 bits of data is mapped to 160 bits. An alternative hash function is MD5. MD5, like SHA-I, divides the input into blocks having a size of 500 bits and forms a hash value having a size of 128 bits.

  In an alternative embodiment, the provided mobility key is formed by a part of the MSK key 12 received by the authentication proxy server 8C.

  In another alternative embodiment, the provided mobility key is the same as the transmitted MSK key.

  In an advantageous embodiment, the authentication message is transmitted according to the RADIUS or DIAMETER protocol.

  In the method according to the invention, if the home MIP function is not supported by the home network 12, the intermediate network 9 provides this home MIP function. As a result, even in a home network that does not support MIP, such as a 3GPP network, macro mobility based on MIP can be realized. MIP is used in the access network 4 and the intermediate network 9 to realize handover between the various access networks 4. At the time of MIP registration of the foreign agent 6A, the home agent 8B of the intermediate network 9 inquires about the mobility key of the associated authentication proxy server 8C. The home agent 8B uses a corresponding subscriber identifier, that is, for example, a network access identifier NAI (Network Access Identifier) or the home address of the mobile terminal device 1. If a corresponding data set has been generated, this key request message is responded locally by the authentication proxy server 8C. In order to allow the authentication proxy server 8C to provide each key, the authentication proxy server 8C is authenticating the mobile terminal device 1 between the authentication server 11 of the home network 12 and the authenticator in the access network 4. It is designed to be able to interpret messages exchanged.

  As shown in FIG. 5, the home agent 8B is preferably present in the intermediate network 9. In an alternative embodiment, a home agent 8B exists in the home network 12.

  In an alternative embodiment of the method according to the invention, Mobile IPV6 [RFC3775] is used as the mobile IP function.

  In an advantageous embodiment of the method according to the invention, the mobility key is queried once by the home agent 8B using a key request message from the authentication proxy server.

  With the method according to the invention, a legacy AAA server such as a WLAN or a 3GPP server for a WiMax network, for example, uses this server even though it does not provide the CMIP / PMIP functionality expected by the WiMAX network be able to. With the method according to the present invention, PMIP-based macro mobility is achieved despite the use of legacy AAA servers in the home network 12. Therefore, network providers in WLAN or 3GPP networks generally do not need to support PMIP themselves and nevertheless allow their customers to implement roaming / interworking using WiMax wireless networks. In particular, with the method according to the present invention, the WiMAX interworking can be realized without the support of the mobile IP by the terminal device by the support of PMIP. In particular, the method according to the present invention can implement WiMax-3GPP interworking as well as the WLAN-direct-IP-Access currently specified.

  FIG. 8 shows a message flow chart of an advantageous embodiment of the method according to the invention. In the embodiment shown in FIG. 8, the access network 4 and the intermediate network 9 consist of WiMax networks. A home network 12 is formed by a 3GPP network. When the authentication proxy server 8C provided in the intermediate network has already stored the subscriber identifier included in the authentication message related to the second mobile station MS2 in the authentication proxy server 8C of the WiMax network 2 Associates the mobile station MS2 with the same group-specific mobility key as the mobile station MS1. In the method according to the invention, a key request message containing a subscriber identifier is answered by the authentication proxy server 8C of the intermediate network 9. Thus, the method according to the present invention realizes macro mobility management in WiMax networks without assistance from the home network.

  FIG. 9 shows an example of a table, preferably stored in the authentication proxy server 8C of the intermediate network 9, for explaining the method according to the invention.

The example of the mobility joint table by a prior art is shown. An example of a visitor list according to the prior art is shown. 2 shows a reference network structure for a WiMax wireless network. Fig. 3 illustrates connection establishment in a conventional WiMax network according to the prior art. 2 shows a network structure according to an advantageous embodiment of the method according to the invention. 2 shows a flow chart for explaining the function of the method according to the invention. 4 shows another flow chart for explaining the function of the method according to the invention. 2 shows a chart for explaining the function of the method according to the invention. Fig. 4 shows an example of a table stored in an advantageous embodiment of an authentication proxy server according to the present invention.

Claims (35)

  1. In a method for providing at least one mobility key to protect a mobility signaling message for a home agent by encryption:
    Establishing a wireless connection between (a) a mobile subscriber terminal (1) and the access network (4), the authentication proxy server of an intermediate network (9) (8C) is the subscriber by the authentication server (11) For authentication, at least one authentication message containing a subscriber identifier is transferred between the access network (4) and the subscriber's home network (12), the subscription included in the authentication message. If the user identifier is already stored in the authentication proxy server (8C), if the authentication is successful, the authentication server (11) of the home network (12) corresponds the group-specific mobility key to the subscriber identifier. Date;
    (B) The home agent (8B) receives a registration request message derived from the subscriber terminal device (1) including the subscriber identifier;
    (C) sending a key request message relating to a mobility key including a subscriber identifier included in the registration request message from the home agent (8B) to the authentication proxy server (8C) to which it belongs;
    (D) If the subscriber identifier included in the key request message matches one of the subscriber identifiers stored by the authentication proxy server (8C), the authentication proxy server (8C) Providing a mobility key to the home agent (8B).
  2.   The authentication proxy server (8C) generates a subscriber-specific mobility key when authentication by the authentication server (11) of the home network (12) is successful, and is included in the authentication message. The method according to claim 1, wherein an identifier specific to the subscriber identifier is associated with the subscriber identifier if an identifier is not yet stored in the authentication proxy server (8 C).
  3.   The method according to claim 1, wherein the authentication proxy server (8C) deletes the generated subscriber-specific mobility key after a predetermined short period of time.
  4.   The method according to claim 1, wherein the authentication proxy server (8C) deletes the generated subscriber-specific mobility key after providing the subscriber-specific mobility key to the home agent (8B).
  5.   The method of claim 1, wherein the authentication proxy server (8C) erases the group specific mobility key after a predetermined long period of time.
  6.   If the subscriber identifier included in the authentication message is already stored in the authentication proxy server (8C), the authentication proxy server (8C) updates the time stamp belonging to the subscriber identifier; The method according to claim 1, wherein a belonging flag indicating that the belonging mobility key is a group-specific mobility key is set.
  7.   The method according to claim 1, wherein the authentication proxy server (8C) randomly generates a group-specific mobility key.
  8.   When the authentication is successful, the authentication server (11) of the home network (12) sends the MSK key included in the authentication message via the authentication proxy server (8C) to the access network (4). The method according to claim 1, wherein the method is transmitted to an authenticating client (6 </ b> C).
  9.   The method according to claim 8, wherein the authentication proxy server (8C) derives a subscriber-specific mobility key from the transmitted MSK key.
  10.   10. The method of claim 9, wherein the subscriber specific mobility key forms part of the transmitted MSK key.
  11.   10. The method of claim 9, wherein the subscriber specific mobility key is the same as the transmitted MSK key.
  12.   10. The method of claim 9, wherein the subscriber specific mobility key is derived by a cryptographic key derivation function or a cryptographic hash function.
  13.   The method of claim 1, wherein the authentication message is transmitted according to a RADIUS data transmission protocol.
  14.   The method of claim 1, wherein the authentication message is transmitted according to a DIAMETER data transmission protocol.
  15.   The method according to claim 1, wherein the access network (4) is formed by a WiMax access network (ASN).
  16.   The method of claim 1, wherein the intermediate network (9) is formed by a WiMax intermediate network (CSN).
  17.   The method of claim 1, wherein the home network (12) is formed by a 3GPP network.
  18.   The method of claim 1, wherein the home network is formed by a WLAN network.
  19.   The method of claim 1, wherein the subscriber identifier is formed by a network access identifier NAI.
  20.   The method according to claim 1, wherein the mobility key is additionally provided to a PMIP client (6B) of the access network (4).
  21.   The method according to claim 1, wherein a plurality of intermediate networks (9) exist between the access network (4) and the home network (12).
  22.   The method according to claim 21, wherein the home agent (8B) is provided in one of the home network (12) or the intermediate network (9).
  23.   The method according to claim 21, wherein the authentication proxy server (8C) is provided in one of the home network (12) or the intermediate network (9).
  24. An authentication proxy server (8C) that provides a mobility key to the home agent to protect the mobility signaling message by encryption;
    When the subscriber identifier related to the subscriber is already stored in the authentication proxy server (8C), the subscriber generated by the authentication proxy server (8C) after successful authentication of the subscriber by the authentication server (11) An authentication proxy server, wherein a group-specific mobility key is associated with the subscriber identifier using an authentication message including an identifier.
  25.   If the authentication of the subscriber is successful, an authentication message including the subscriber identifier is used to generate a subscriber-specific mobility key, and the subscriber identifier included in the authentication message is still sent to the authentication proxy server (8C). 25. The authentication proxy server of claim 24, wherein if not stored, the subscriber-specific mobility key is associated with the corresponding subscriber identifier.
  26.   The authentication proxy server according to claim 25, wherein the generated subscriber-specific mobility key is deleted after a predetermined short period of time.
  27.   26. The authentication proxy server according to claim 25, wherein the generated subscriber-specific mobility key is deleted after provision of the subscriber-specific mobility key to the home agent.
  28.   25. The authentication proxy server of claim 24, wherein the group specific mobility key is erased before a predetermined long period of time.
  29.   If the subscriber identifier included in the authentication message is already stored, the time stamp belonging to the subscriber identifier is updated, and the belonging mobility key is a group-specific mobility key The authentication proxy server according to claim 24, wherein the flag is set.
  30.   The authentication proxy server according to claim 24, which randomly generates a mobility key.
  31.   The authentication proxy server according to claim 24, connected to an authentication server (11) of the home network (12).
  32.   25. Authentication proxy server according to claim 24, wherein the mobility key is derived from an MSK key output by an authentication server (11) of a home network (12).
  33.   25. The authentication proxy server according to claim 24, wherein the home network (12) is a 3GPP network.
  34.   25. The authentication proxy server according to claim 24, wherein the home network (12) is a WLAN network.
  35.   The authentication proxy server according to claim 24, wherein the authentication proxy server is a WiMax authentication proxy server.
JP2008539397A 2005-11-04 2006-10-30 Method and server for providing mobility key Active JP4861426B2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
DE102005052724 2005-11-04
DE102005052724.8 2005-11-04
DE102006008745A DE102006008745A1 (en) 2005-11-04 2006-02-24 Method and server for providing a mobility key
DE102006008745.3 2006-02-24
PCT/EP2006/067930 WO2007051776A1 (en) 2005-11-04 2006-10-30 Method and server for providing a mobile key

Publications (2)

Publication Number Publication Date
JP2009515450A JP2009515450A (en) 2009-04-09
JP4861426B2 true JP4861426B2 (en) 2012-01-25

Family

ID=37801439

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2008539397A Active JP4861426B2 (en) 2005-11-04 2006-10-30 Method and server for providing mobility key

Country Status (8)

Country Link
US (1) US8477945B2 (en)
EP (1) EP1943808B1 (en)
JP (1) JP4861426B2 (en)
KR (1) KR20080068732A (en)
CN (1) CN101300815B (en)
DE (1) DE102006008745A1 (en)
ES (1) ES2662591T3 (en)
WO (1) WO2007051776A1 (en)

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8630414B2 (en) * 2002-06-20 2014-01-14 Qualcomm Incorporated Inter-working function for a communication system
US8094821B2 (en) * 2004-08-06 2012-01-10 Qualcomm Incorporated Key generation in a communication system
CN100499538C (en) * 2002-10-11 2009-06-10 松下电器产业株式会社 Identification information protection method in WLAN interconnection
DE102006008745A1 (en) 2005-11-04 2007-05-10 Siemens Ag Method and server for providing a mobility key
JP4869057B2 (en) * 2006-12-27 2012-02-01 富士通株式会社 Network connection recovery method, AAA server, and radio access network gateway device
US8170529B1 (en) * 2007-02-08 2012-05-01 Clearwire Ip Holdings Llc Supporting multiple authentication technologies of devices connecting to a wireless network
CN101606361A (en) * 2007-02-13 2009-12-16 日本电气株式会社 Mobile terminal management system, the network equipment and be used for their method for controlling mobile terminal
US20080279151A1 (en) * 2007-05-09 2008-11-13 Nokia Siemens Networks Gmbh & Co. Kg Method and device for processing data and communication system comprising such device
KR101341720B1 (en) 2007-05-21 2013-12-16 삼성전자주식회사 A METHOD AND SYSTEM FOR MANAGING MOBILITY OF AN Access Terminal USING Proxy Mobile Internet ProtocolPMIP IN A MOBILE TELECOMMUNICATIONS SYSTEM AND METHOD FOR ALLOCATING A HOME ADDRESS OF THE ACCESS TERMINAL THEREFOR
US8769611B2 (en) * 2007-05-31 2014-07-01 Qualcomm Incorporated Methods and apparatus for providing PMIP key hierarchy in wireless communication networks
CN101345997B (en) * 2007-07-12 2011-08-10 中兴通讯股份有限公司 Method for providing network service
CN101836396B (en) * 2008-02-04 2012-05-30 中兴通讯股份有限公司 An apparatus and method for making WLAN devices accessing WiMAX network
US8208375B2 (en) * 2008-03-17 2012-06-26 Microsoft Corporation Selective filtering of network traffic requests
WO2010033968A1 (en) 2008-09-22 2010-03-25 Visa International Service Association Over the air update of payment transaction data stored in secure memory
US8977567B2 (en) 2008-09-22 2015-03-10 Visa International Service Association Recordation of electronic payment transaction information
US9824355B2 (en) 2008-09-22 2017-11-21 Visa International Service Association Method of performing transactions with contactless payment devices using pre-tap and two-tap operations
CA2752752C (en) * 2009-02-27 2015-09-15 Certicom Corp. System and method for securely communicating with electronic meters
US8150974B2 (en) * 2009-03-17 2012-04-03 Kindsight, Inc. Character differentiation system generating session fingerprint using events associated with subscriber ID and session ID
KR101338487B1 (en) 2010-12-21 2013-12-10 주식회사 케이티 Authentication authorization/accountig server and method for authenticating access thereof in interworking-wireless local area network
WO2012122158A1 (en) * 2011-03-06 2012-09-13 PCN Technology, Inc. Systems and methods of data transmission and management
CN102281287B (en) * 2011-06-23 2014-05-28 北京交通大学 TLS (transport layer security)-based separation mechanism mobile signaling protection system and method
CN102595398B (en) * 2012-03-05 2015-04-29 黄东 Wireless network anonymous authentication method for reducing system cost
US9882713B1 (en) * 2013-01-30 2018-01-30 vIPtela Inc. Method and system for key generation, distribution and management
US9167427B2 (en) * 2013-03-15 2015-10-20 Alcatel Lucent Method of providing user equipment with access to a network and a network configured to provide access to the user equipment
US10148669B2 (en) * 2014-05-07 2018-12-04 Dell Products, L.P. Out-of-band encryption key management system
CN104284332A (en) * 2014-09-26 2015-01-14 中兴通讯股份有限公司 Authentication method and wireless router
KR20160056551A (en) * 2014-11-12 2016-05-20 삼성전자주식회사 User terminal and method for performing unlock
US10285053B2 (en) * 2015-04-10 2019-05-07 Futurewei Technologies, Inc. System and method for reducing authentication signaling in a wireless network
US20190349397A1 (en) * 2016-12-31 2019-11-14 Huawei Technologies Co., Ltd. Terminal Matching Method and Apparatus
KR101997984B1 (en) * 2017-10-25 2019-07-08 이화여자대학교 산학협력단 Location based vehicle communication method using proxy re-encryption and proxy server for vehicle communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003188885A (en) * 2001-12-19 2003-07-04 Canon Inc Communication system, server device, client device, method for controlling them, programs for performing them, and computer readable storage medium stored with the programs
JP2004304804A (en) * 2003-03-31 2004-10-28 Lucent Technol Inc Method for common authentication and authorization between independent networks

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020120844A1 (en) * 2001-02-23 2002-08-29 Stefano Faccin Authentication and distribution of keys in mobile IP network
US7483411B2 (en) * 2001-06-04 2009-01-27 Nec Corporation Apparatus for public access mobility LAN and method of operation thereof
US7298847B2 (en) * 2002-02-07 2007-11-20 Nokia Inc. Secure key distribution protocol in AAA for mobile IP
US20070208864A1 (en) * 2002-10-21 2007-09-06 Flynn Lori A Mobility access gateway
US7475241B2 (en) * 2002-11-22 2009-01-06 Cisco Technology, Inc. Methods and apparatus for dynamic session key generation and rekeying in mobile IP
EP1549010B1 (en) * 2003-12-23 2008-08-13 Motorola Inc. Rekeying in secure mobile multicast communications
EP1638261A1 (en) * 2004-09-16 2006-03-22 Matsushita Electric Industrial Co., Ltd. Configuring connection parameters in a handover between access networks
US7639802B2 (en) * 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
WO2006039623A2 (en) * 2004-10-01 2006-04-13 Nextel Communications, Inc. System and method for dispatch roaming registration
US7313394B2 (en) * 2005-07-15 2007-12-25 Intel Corporation Secure proxy mobile apparatus, systems, and methods
US20070086382A1 (en) * 2005-10-17 2007-04-19 Vidya Narayanan Methods of network access configuration in an IP network
DE102006008745A1 (en) 2005-11-04 2007-05-10 Siemens Ag Method and server for providing a mobility key

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003188885A (en) * 2001-12-19 2003-07-04 Canon Inc Communication system, server device, client device, method for controlling them, programs for performing them, and computer readable storage medium stored with the programs
JP2004304804A (en) * 2003-03-31 2004-10-28 Lucent Technol Inc Method for common authentication and authorization between independent networks

Also Published As

Publication number Publication date
US8477945B2 (en) 2013-07-02
DE102006008745A1 (en) 2007-05-10
CN101300815B (en) 2012-11-14
EP1943808A1 (en) 2008-07-16
WO2007051776A1 (en) 2007-05-10
CN101300815A (en) 2008-11-05
EP1943808B1 (en) 2018-01-31
US20090193253A1 (en) 2009-07-30
ES2662591T3 (en) 2018-04-09
JP2009515450A (en) 2009-04-09
KR20080068732A (en) 2008-07-23

Similar Documents

Publication Publication Date Title
US10069803B2 (en) Method for secure network based route optimization in mobile networks
US9544282B2 (en) Changing group member reachability information
US10425808B2 (en) Managing user access in a communications network
US8549294B2 (en) Securing home agent to mobile node communication with HA-MN key
Soliman et al. Hierarchical mobile IPv6 (HMIPv6) mobility management
US8498414B2 (en) Secure route optimization in mobile internet protocol using trusted domain name servers
US9768961B2 (en) Encrypted indentifiers in a wireless communication system
Devarapalli et al. Mobile IPv6 operation with IKEv2 and the revised IPsec architecture
US8514851B2 (en) Mobile IPv6 authentication and authorization baseline
US7945777B2 (en) Identification information protection method in WLAN inter-working
ES2277495B1 (en) Address mechanisms in mobile ip.
US7475241B2 (en) Methods and apparatus for dynamic session key generation and rekeying in mobile IP
US7516486B2 (en) Communication between a private network and a roaming mobile terminal
US8897257B2 (en) Context transfer in a communication network comprising plural heterogeneous access networks
CN101843145B (en) A system and method for reselection of a packet data network gateway when establishing connectivity
JP4723158B2 (en) Authentication methods in packet data networks
CN101185311B (en) Utilizing generic authentication architecture for mobile internet protocol key distribution
CN101160924B (en) Method for distributing certificates in a communication system
US8046583B2 (en) Wireless terminal
DE602004007708T2 (en) A method for common authentication and authorization across different networks
US7805605B2 (en) Server, terminal control device and terminal authentication method
CN1836417B (en) Method, system and apparatus to support hierarchical mobile IP services
DK2137925T3 (en) User profile, guideline and pmip key distribution in a wireless communication network
US6769000B1 (en) Unified directory services architecture for an IP mobility architecture framework
US9344881B2 (en) Identifiers in a communication system

Legal Events

Date Code Title Description
A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20101224

RD04 Notification of resignation of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7424

Effective date: 20101227

RD04 Notification of resignation of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7424

Effective date: 20101228

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20110128

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20110425

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20111006

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20111104

R150 Certificate of patent or registration of utility model

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20141111

Year of fee payment: 3

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250